<html>
<head><meta charset="utf-8"><title>cargo update CVE check · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html">cargo update CVE check</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="148820317"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/148820317" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#148820317">(Nov 29 2018 at 21:21)</a>:</h4>
<p>Idea: When you run <code>cargo update</code>, cargo downloads a list of security issues affecting standard libraries (libcore/libstd) and the compiler. Then <code>cargo build</code> will warn/error when building with a version of rustc that has such a vulnerability.</p>



<a name="148820494"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/148820494" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#148820494">(Nov 29 2018 at 21:23)</a>:</h4>
<p>Relatedly, there's an issue on <code>cargo audit</code> to have it consider the stdlib.</p>



<a name="148820559"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/148820559" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#148820559">(Nov 29 2018 at 21:24)</a>:</h4>
<p>Example from the recent past: We run <code>cargo update</code>. The update downloads the info for CVE-2018-1000810. Before it is fixed, the info will say that it "affects all versions of the toolchain" and building with any version of the toolchain will warn. When Rust 1.29.1 was released then the next <code>cargo update</code> would download the info that says CVE-2018-1000810 was fixed in Rust 1.29.1. Then building with any version older than Rust 1.29.1 would warn/error and building with Rust 1.29.1 or later would not.</p>



<a name="148820660"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/148820660" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#148820660">(Nov 29 2018 at 21:25)</a>:</h4>
<p><span class="user-mention" data-user-id="130046">@Alex Gaynor</span> Not just the stdlib, but also the compiler and the rest of the toolchain (Cargo, at least).</p>



<a name="148820714"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/148820714" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#148820714">(Nov 29 2018 at 21:26)</a>:</h4>
<p>e.g. when "fastcall" was miscompiled.</p>



<a name="148820737"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/148820737" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#148820737">(Nov 29 2018 at 21:26)</a>:</h4>
<p>Or the recent borrow checker bugs.</p>



<a name="148820810"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/148820810" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#148820810">(Nov 29 2018 at 21:27)</a>:</h4>
<p>(The borrow checker bugs didn't get CVEs but I argued that they should have in <a href="https://www.reddit.com/r/rust/comments/8xqrz5/announcing_rust_1271/e25yugs/" target="_blank" title="https://www.reddit.com/r/rust/comments/8xqrz5/announcing_rust_1271/e25yugs/">https://www.reddit.com/r/rust/comments/8xqrz5/announcing_rust_1271/e25yugs/</a>)</p>



<a name="148832199"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/148832199" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#148832199">(Nov 30 2018 at 00:54)</a>:</h4>
<p><code>std</code> is how the issue is filed, but yes the issue is more general, it's the whole Rust toolchain. anyway here's the issue <a href="https://github.com/RustSec/cargo-audit/issues/46" target="_blank" title="https://github.com/RustSec/cargo-audit/issues/46">https://github.com/RustSec/cargo-audit/issues/46</a></p>



<a name="148882602"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/148882602" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#148882602">(Nov 30 2018 at 19:21)</a>:</h4>
<p><span class="user-mention" data-user-id="132721">@Tony Arcieri</span> IMO <code>cargo audit</code> shouldn't be a separate command but should instead be built into the <code>cargo update</code> process, in the long term. But otherwise, I agree that that seems to be what I'm talking about.</p>



<a name="148883277"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/148883277" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#148883277">(Nov 30 2018 at 19:31)</a>:</h4>
<p>FWIW <code>cargo-audit</code> is distinct from <code>cargo</code> because the response from the core team, at the time, was to prototype it out-of-tree, but maybe it's worth attempting to upstream now <a href="https://github.com/rust-lang/rfcs/pull/1752" target="_blank" title="https://github.com/rust-lang/rfcs/pull/1752">https://github.com/rust-lang/rfcs/pull/1752</a></p>



<a name="150692201"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/150692201" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#150692201">(Dec 01 2018 at 18:18)</a>:</h4>
<p>I feel cargo-audit is more than a prototype at this point, and it's about time that info got actually shipped to users - be it via cargo, github, crates-audit or all of them.<br>
By the way, performing these checks only on <code>cargo update</code> might not be the best idea. That's what <code>yarn</code> and <code>npm</code> do, but they only work that way because that's the only place they could put that information. We could also do that on <code>cargo build</code>, for example.</p>



<a name="150692342"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/150692342" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#150692342">(Dec 01 2018 at 18:23)</a>:</h4>
<p>What people probably care most about is running vulnerable services in production, which is not mitigated by notifying on any cargo command. Some kind of pre-packaged tool that ingests Cargo.lock of a production service and pokes me if something goes wrong would be great. I'm pretty sure 90% of that is already implemented in <code>cargo-audit</code>, all it needs is a way to poke me when something goes wrong - email, tweet, something. Since checking a cargo.lock is not a lot of work, I guess this could even be hosted as a service.</p>



<a name="150693367"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/150693367" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#150693367">(Dec 01 2018 at 18:58)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> re: looking for deployed vulnerable build artifacts, yup, I noted as much in cargo-audit <a href="https://github.com/rust-lang/rust/issues/46" target="_blank" title="https://github.com/rust-lang/rust/issues/46">#46</a></p>



<a name="150693379"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/150693379" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#150693379">(Dec 01 2018 at 18:59)</a>:</h4>
<p>at one of my previous employers we had an agent which collected the Ruby equivalent of Cargo.lock from production servers and cross-referenced that with the RubySec database</p>



<a name="150693385"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/150693385" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#150693385">(Dec 01 2018 at 18:59)</a>:</h4>
<p>and autofiled JIRA ( <span class="emoji emoji-1f629" title="weary">:weary:</span> ) tickets about production vulnerabilities, and closed them when the responsible team deployed a version which resolved the vulnerabilities</p>



<a name="150693543"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/150693543" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#150693543">(Dec 01 2018 at 19:04)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> <code>cargo build</code> shouldn't do networking.</p>



<a name="150693546"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/150693546" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#150693546">(Dec 01 2018 at 19:04)</a>:</h4>
<p>Doesn't it already since it can pull down dependencies?</p>



<a name="150693569"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/150693569" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#150693569">(Dec 01 2018 at 19:06)</a>:</h4>
<p>Nobody should use <code>cargo build</code>, only <code>cargo build --locked</code>. <code>cargo build --locked</code> should become the default behavior. If <code>cargo build</code> pulls dependencies then you haven't verified your dependencies are safe to use before running their build script.</p>



<a name="150693623"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/150693623" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#150693623">(Dec 01 2018 at 19:07)</a>:</h4>
<p>While that's certainly reasonable, it also departs significantly from current behavior and the community's attitude towards this stuff. I'm not sure that <code>cargo audit</code> shouldn't follow the same approach - network by default, but optionally locked for folks who either don't have network access, or want a reproducible build, or care more about security, etc.</p>



<a name="150693669"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/150693669" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#150693669">(Dec 01 2018 at 19:08)</a>:</h4>
<p>Pretty sure nobody wants a network ping on every build.</p>



<a name="150693673"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/150693673" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#150693673">(Dec 01 2018 at 19:08)</a>:</h4>
<p>Obviously, if/when <code>cargo build</code> does an implicit <code>cargo update</code> then it would do everything that <code>cargo update</code> does.</p>



<a name="150693674"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/150693674" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#150693674">(Dec 01 2018 at 19:08)</a>:</h4>
<p>I feel like the empirical evidence - that <code>cargo build</code> has that exact behavior - suggests otherwise.</p>



<a name="150693680"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/150693680" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#150693680">(Dec 01 2018 at 19:09)</a>:</h4>
<p>I was thinking cross-referencing against a local instance of vulnerabilities database. AFAIK <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a> index is already cached locally in full</p>



<a name="150693686"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/150693686" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#150693686">(Dec 01 2018 at 19:09)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> I believe that's the case.</p>



<a name="150693687"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/150693687" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#150693687">(Dec 01 2018 at 19:09)</a>:</h4>
<p>Does cargo build do a networking request on every build, or only when it needs to update dependencies/</p>



<a name="150693690"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/150693690" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#150693690">(Dec 01 2018 at 19:09)</a>:</h4>
<p>Ah, I'm not sure about that.</p>



<a name="150693692"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/150693692" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#150693692">(Dec 01 2018 at 19:09)</a>:</h4>
<p>I think only the latter</p>



<a name="150693739"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/150693739" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#150693739">(Dec 01 2018 at 19:10)</a>:</h4>
<p>I guess a vuln database is meaningfully different in that <em>the latest version</em> is a much more appropriate version to use than <em>whatever version we have installed that works</em>.</p>



<a name="150693741"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/150693741" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#150693741">(Dec 01 2018 at 19:10)</a>:</h4>
<p>For versions of source code, it's a much less important distinction.</p>



<a name="150693799"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/150693799" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#150693799">(Dec 01 2018 at 19:12)</a>:</h4>
<p>I don't think people would accept default behavior of a network ping on every build</p>



<a name="150693808"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/150693808" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#150693808">(Dec 01 2018 at 19:12)</a>:</h4>
<p>Yeah you're probably right.</p>



<a name="150693820"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/150693820" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#150693820">(Dec 01 2018 at 19:13)</a>:</h4>
<p>Especially, if you think there's a possibility that a <a href="http://build.rs" target="_blank" title="http://build.rs">build.rs</a> or a test is malicious or equivalently buggy, you couldn't even start the build unless/until you've got the response.</p>



<a name="150693824"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/150693824" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#150693824">(Dec 01 2018 at 19:13)</a>:</h4>
<p>Maybe <code>cargo audit</code> could use a heuristic of how frequently it checks? E.g., the DB is considered stale after <code>n</code> hours or something like that, unless you pass a flag to force update.</p>



<a name="150693827"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/150693827" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#150693827">(Dec 01 2018 at 19:13)</a>:</h4>
<p>hourly database refreshes should be more than enough for non-production stuff like <code>cargo build</code></p>



<a name="150693888"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/150693888" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#150693888">(Dec 01 2018 at 19:14)</a>:</h4>
<p>More generally, cargo build could be configurable to indicate how often <code>cargo update</code> should be run.</p>



<a name="150693906"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/150693906" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#150693906">(Dec 01 2018 at 19:15)</a>:</h4>
<p>Not much difference between needing to update a dependency because somebody wrote up a CVE and the developer fixed it, vs. the developer fixed a bug without a CVE.</p>



<a name="150693912"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/150693912" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#150693912">(Dec 01 2018 at 19:15)</a>:</h4>
<p>Especially since what's considered advisory-worthy is very subjective.</p>



<a name="150693913"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/150693913" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#150693913">(Dec 01 2018 at 19:15)</a>:</h4>
<p>Yeah, I think that's reasonable.</p>



<a name="150693984"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/150693984" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#150693984">(Dec 01 2018 at 19:18)</a>:</h4>
<p>e.g. OpenSSL didn't apply for CVEs for a few side-channel bugs that I would consider serious, and they're close to making that their normal policy. And BoringSSL only has one CVE even though there were multiple serious bugs, IIRC.</p>



<a name="150694250"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/150694250" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#150694250">(Dec 01 2018 at 19:26)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> checking against the local database is at least possible, as a copy is kept locally in <code>~/.git/advisory-db</code></p>



<a name="150694251"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo%20update%20CVE%20check/near/150694251" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo.20update.20CVE.20check.html#150694251">(Dec 01 2018 at 19:26)</a>:</h4>
<p>err, <code>.cargo</code></p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>